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Abstract 

This  paper  presents  a  general  theory  of  system  com¬ 
position  for  “possibilistic”  security  properties.  We 
see  that  these  properties  fall  outside  of  the  Alpern- 
Schneider  safety /liveness  domain  and  hence,  are  not 
subject  to  the  Abadi-Lamport  Composition  Princi¬ 
ple.  We  then  introduce  a  set  of  trace  constructors 
called  selective  interleaving  functions  and  show  that 
possibilistic  security  properties  are  closure  properties 
with  respect  to  different  classes  of  selective  interleav¬ 
ing  functions.  This  provides  a  uniform  framework  for 
analyzing  these  properties  and  allows  us  to  construct 
a  partial  ordering  for  them.  We  present  a  number  of 
composition  constructs,  show  the  extent  to  which  each 
preserves  closure  with  respect  to  different  classes  of  se¬ 
lective  interleaving  functions,  and  show  that  they  are 
sufficient  for  forming  the  general  hook-up  construc¬ 
tion.  We  see  that  although  closure  under  a  class  of 
selective  interleaving  functions  is  generally  preserved 
by  product  and  cascading,  it  is  not  generally  preserved 
by  feedback,  internal  system  composition  constructs, 
or  refinement.  We  examine  the  reason  for  this. 

1  Introduction 


The  ability  to  build  systems  that  satisfy  a  given  prop¬ 
erty  from  a  selected  set  of  specified  components  is 
a  requisite  for  the  production  of  networks,  the  pro¬ 
duction  of  systems  using  off-the-shelf  products,  and 
the  production  of  systems  from  verified  components. 
However,  a  general  ability  to  build  composite  high- 
assurance  systems  presupposes  a  general  theory  of  sys¬ 
tem  composition.  Such  a  theory  provides  insight  into 
why  certain  properties  are  preserved  or  not  preserved 
by  certain  forms  of  composition.  More  importantly, 
for  a  large  class  of  properties  and  a  variety  of  com¬ 
position  constructs,  it  answers  questions  of  the  form: 
“If  a  system  satisfying  property  X  is  composed  with  a 
system  satisfying  property  Y  using  composition  con¬ 
struct  Z,  what  properties  will  the  composite  system 
satisfy?” . 

A  general  theory  of  system  composition  is  clearly 
lacking  for  confidentiality  properties.  We  know  that 
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Restrictiveness  [8]  and  Noninference  [14,  16]  are  pre¬ 
served  by  general  composition  or  hookup1 ,  that  Nond¬ 
educibility  on  Strategies  [17]  is  preserved  by  asyn¬ 
chronous  composition  [15],  and  that  many  properties 
are  not  preserved  by  general  composition.  However, 
we  know  nothing  about  the  composability  of  Restric¬ 
tiveness,  Noninference,  or  Nondeducibility  on  Strate¬ 
gies  with  properties  besides  themselves,  and  we  know 
nothing  about  the  composability  of  other  properties 
beyond  the  fact  that  they  are  not  preserved  by  gen¬ 
eral  composition  with  themselves.  For  example,  we 
do  not  know  what  properties  would  be  satisfied  by  a 
system  in  which  a  component  satisfying  Deducibility 
Security  [19]  was  cascaded  with  a  component  satisfy¬ 
ing  Restrictiveness.  As  a  result,  we  use  Restrictive¬ 
ness  or  Noninference  in  cases  where  better  properties 
(either  simpler  and  just  as  secure  in  the  case  of  Re¬ 
strictiveness,  or  just  as  simple  yet  more  secure  in  the 
case  of  Noninference)  may  work.  As  new  properties 
are  developed,  the  situation  will  deteriorate  further. 

For  this  reason  general  theories  of  system  compo¬ 
sition,  such  as  the  one  developed  by  Abadi  and  Lam¬ 
port  [1],  are  extremely  appealing.  A  number  of  re¬ 
searchers  in  the  security  community  are  attempting 
to  use  the  Abadi-Lamport  Composition  Principle  to 
develop  a  general  theory  of  composition  for  confiden¬ 
tiality  properties.  However,  the  Abadi-Lamport  Com¬ 
position  Principle  is  restricted  to  the  class  of  proper¬ 
ties  that  are  definable  within  the  safety /liveness  prop¬ 
erty  framework  originally  presented  by  Alpern  and 
Schneider  in  [2].  Since  “possibilistic”  security  proper¬ 
ties  (a  class  of  properties  which  includes  Generalized 
Noninterference,  Restrictiveness,  Noninference,  Nond¬ 
educibility  on  Strategies,  and  Deducibility  Security) 
fall  outside  this  domain,  the  Abadi-Lamport  Compo¬ 
sition  Principle  is  not  directly  applicable. 

This  paper  presents  a  general  theory  of  system  com¬ 
position  for  a  class  of  “possibilistic”  properties.  In 
Section  2  we  introduce  a  system  model  and  a  set  of 
trace  constructors  called  selective  interleaving  func¬ 
tions.  The  model  space,  an  instantiation  of  the  Alpern 
and  Schneider  framework,  is  extendible  to  probabilis- 


1Given  two  systems,  their  hookup  is  the  composite  system 
where  each  component  system  can  communicate  (receive  input 
from  and  send  output  to)  with  both  the  other  component  system 
and  the  outside  world. 
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tic  model  spaces,  e.g.,  as  found  in  [5].  We  consider 
the  standard  possibilistic  security  properties  and  two 
new  ones:  Generalized  Noninference,  which  is  an  ex¬ 
tension  of  Noninference,  and  Separability,  which  has 
affinities  both  to  Rushby’s  Separation  Kernel  [18]  and 
to  Nondeducibility  on  Strategies.  We  show  that  all  of 
these  properties  are  closure  properties  with  respect  to 
classes  of  selective  interleaving  functions.  This  pro¬ 
vides  a  uniform  framework  for  analyzing  such  proper¬ 
ties  and  allows  us  to  construct  a  partial  ordering  for 
them. 

In  Section  3.1  we  present  three  external  composi¬ 
tion  constructs:  product,  cascade,  and  feedback.  We 
show  the  extent  to  which  each  of  these  preserves  clo¬ 
sure  with  respect  to  different  classes  of  selective  inter¬ 
leaving  functions  and  show  that  product  and  feedback 
are  sufficient  for  forming  the  general  hook-up  con¬ 
struction.  We  see  that  Separability  provides  a  compos- 
able  alternative  to  Restrictiveness  and  Noninference, 
which  is  simpler  than  the  former  and  more  secure  than 
the  latter. 

In  particular  we  shall  see  that  the  product  of  two 
systems  behaves  quite  well  with  respect  to  security 
properties.  Further,  when  two  systems  are  cascaded: 

•  Separability  is  preserved  when  composed  with  it¬ 
self; 

•  Noninference  is  preserved  when  composed  with 
itself  and  with  Separability; 

•  Generalized  Noninterference  is  preserved  when 
composed  with  itself  and  with  Separability;  and 

•  Generalized  Noninference  is  preserved  when  com¬ 
posed  with  itself,  with  Noninference,  with  Gener¬ 
alized  Noninterference,  and  with  Separability. 

We  shall  also  see  that  when  two  systems  are  composed 
with  a  feedback  construction: 

•  Separability  is  preserved  when  composed  with  it¬ 
self;  and 

•  Noninference  is  preserved  when  composed  with 
itself  and  with  Separability. 

The  extent  to  which  other  properties  are  preserved 
when  composed  with  the  feedback  construction  de¬ 
pends  on  the  particulars  of  the  system.  In  Section  3.2 
we  see  that  this  is  also  true  for  internal  composition 
(union,  intersection,  and  set  difference)  and  for  refine¬ 
ment.  In  Section  4  we  shall  shall  gain  some  insight  into 
why  feedback  and  internal  composition  causes  prob¬ 
lems  for  possibilistic  security  properties. 

This  paper  is  not  meant  to  be  an  argument  for  using 
possibilistic  security  models.  I  have  discussed  the  lim¬ 
itations  of  such  models  elsewhere  [10,  13]  and  shall  not 
re-visit  these  issues  here.  However,  when  compared  to 
their  probabilistic  counterparts,  such  as  [5,  10],  pos- 
sibilistic  security  models  provide  us  with  a  relatively 
simple  model  for  building  systems  and  have,  for  this 
reason,  enjoyed  a  great  deal  of  popularity.  This  paper 
is  an  attempt  to  understand  these  models  and  their 


composition  more  thoroughly  and  to  provide  better 
alternatives  to  the  models  than  are  currently  avail¬ 
able. 

2  System  Model  and  System  Proper¬ 
ties 


In  Section  2.1  we  define  the  notion  of  a  system  state 
and  use  this  definition  to  present  the  Alpern-Schneider 
concepts  of  a  property,  of  a  system,  and  of  a  prop¬ 
erty  holding  for  a  system.  We  also  see  how  these  con¬ 
cepts  are  embedded  in  the  Abadi-Lamport  concepts  of 
a  specification  and  of  a  system  satisfying  a  specifica¬ 
tion.  We  then  examine  the  limitations  of  the  Alpern- 
Schneider  framework  for  analyzing  possibilistic  secu¬ 
rity  properties  and  their  composition.  In  Section  2.2 
we  extend  the  Alpern-Schneider  concept  of  a  property 
by  introducing  the  trace  set  property  of  being  closed 
under  a  class  of  selective  interleaving  functions.  This 
provides  a  framework  for  examining  possibilistic  secu¬ 
rity  properties.  We  go  on  to  establish  some  elementary 
facts  about  such  properties  and  their  relationships. 

2.1  The  Alpern-Schneider  Framework 
and  Its  Limitations 

The  Alpern-Schneider  framework  is  transparent  with 
respect  to  any  particular  notion  of  system  state.  To 
make  things  more  concrete,  we  introduce  the  following 
characterization: 

Definition  2.1  (State  Space)  For  nonnegative  inte¬ 
gers  m  and  n,  let  ( in\ ,  ...,  inm )  be  a  tuple  of  m  distinct 
input  variables  and  ( outi ,  ...,  outn)  be  a  tuple  of  n  dis¬ 
tinct  output  variables  such  that  the  ith  input  variable 
ranges  over  some  alphabet  Ii  and  the  ith  output  vari¬ 
able  ranges  over  some  alphabet  Oi.  A  state  space  is  the 
set  {((mi,  ...,  inm),  {outi,  ...,  outn))\  irii  £  A  outi  £ 
Oi}.  An  element  of  a  state  space  is  called  a  system 
state.  □ 

As  an  example,  consider  the  state  space  whose 
states  are  of  the  form  {{ini,  ...,  inm) ,  {outi,  ...,  outm}) 
where  for  all  1  <  i  <  m:  Ii  =  Oi  =  {0,1,  A}.  As¬ 
sume  that  for  some  1  <  n  <  m:  in\,...,inn  and 
mn+i,  ...,inm  are  input  channels  that  contain  the  in¬ 
puts  of  H  =  n  distinct  high-level  users  and  L  = 
m  —  n  distinct  low  level  users,  respectively,  and  that 
out i,  ...,  outn  and  outn+i,  ...,  outm  are  output  channels 
that  contain  the  outputs  to  these  same  users.  Of 
course,  some  of  the  high-level  users  may  be  Trojan 
Horses  operating  on  behalf  of  some  of  the  low-level 
users.  If  there  is  no  current  input  or  output  on  a  par¬ 
ticular  channel,  the  channel  takes  on  the  value  A.  In 
the  future  we  shall  refer  to  this  state  space  with  H 
high-level  users  and  L  low-level  users  as  the  two  level 
security  state  space,  which  we  denote  by  S.  We  shall 
denote  (ini,  ...,  inn) ,  (mn+1,  ...,  inm) ,  {outi,  ...,outn) , 
and  {outn+i,  ... ,outm )  by  highin,  lowin,  highout,  and 
lowout,  respectively. 
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Notation  for  Tuples:  Given  a  set  a,  we  shall  use 
the  notation  cr"  to  denote  c’s  nt/i-iterated  Cartesian 
product  <7X  ...  x  cr,  and  given  the  symbol  a,  we  shall  use 
a"  to  denote  the  n-tuple  [a,...,  a).  Given  tuples  x  = 
(x\,  ...,  xm)  and  y  =  (t/i ,  yn) ,  we  shall  use  x[i\  to 
denote  Xi  and  ( x  :  y)  to  denote  (x\,  ...,  xm,  y\,  ...,  yn) . 
□ 

Definition  2.2  (Trace  Set)  Given  a  state  space, 
E,  E’s  trace  space,  written  tracefiE),  is  the  set 
{(«!,  S2,  E  E}.  An  element  of  a  trace  space  is 

called  a  trace.  A  subset  of  a  trace  space  is  called  a 
trace  set.  A  trace  set  crl  is  a  refinement  of  a  trace  set 
<t2  if  and  only  if  crl  C  <r2.  □ 

As  an  example,  consider  E  introduced  above.  The 
trace  space  tracefiE)  is  the  set  of  traces  of  the  form 

t  =  ((( highirii  :  lowinfi) ,  (highouti  :  lowoutfi), 

(( highiri’i  :  lowinfi) ,  (highout'2  :  low  out  2)) ,  •••), 

where  highirii,  lowirii,  highouti,  and  lowouti  repre¬ 
sent  the  high-level  and  low-level  input  to  and  output 
from  the  system  at  time  i. 

By  eliminating  traces,  refinements  of  tracefiE)  can 
reduce  nondeterminism  and  limit  the  input  domain. 
However,  since  refinements  cannot  introduce  new  be¬ 
haviors,  any  property  that  is  satisfied  by  every  trace 
of  a  subset  of  tracefiE)  is  preserved  by  every  trace  of 
any  refinement  of  that  subset.  So,  for  example,  if  every 
trace  in  some  trace  set  a  C  tracefiE)  has  the  proprety 
that  highouti  =  highirii  +  lowirii,  then  every  trace  in 
any  refinement  of  a  also  has  this  property. 

As  another  example  of  a  trace  set  we  shall  find 
useful,  consider  the  state  space  {((in),  (out))  \  in  E 
I  A  out  E  0}  where  1  =  0.  We  shall  call  the  trace  set 
i  =  {(((in1),(out1)),((in2),(out2)),...)\  im  =  outi} 
the  identity  system. 

Notation  for  Traces:  Given  a  trace 
t  =  ((( in\,...,in)),(out\,...,out{ )), 

((ini,...,  in]),  (outi,  ■■■), 

we  shall  use  the  following  notational  conventions: 


t[i]  = 

((to),  ... 

,  in)) ,  (out\,  ...,out\)); 

t[i...n\  = 

«(m),  . 

in)),  ( out\ ,  ...,out\)),  ..., 

((to),  . 

in]) ,  (outi,  •••;  °utk))); 

in(t)  = 

((to],  ... 

,  in]) ,  (in],  -,in]),  •••}; 

out(t )  = 

((outi,. 

-,out\),  (outi, -,out\),  ...) 

in(t)[l...m]  = 

((m),  ... 

fin]),  ...,  (inf,  ...fin"1)); 

out(t)[l...m]  = 

(( out( ,. 

-,out[),  ...,  (out?,  ...,OUt?\ 

in[l...m](t)  = 

((in],... 

,in]n),  (in],  ...,in2m),  ...); 

out[l . .  ,m](t)  = 

((out],. 

-,out]fi),  (out],  ...,out2m),  .. 

In  the  case  of  tracefiS),  we  shall  use  highin(t), 
lowin(t),  highout(t),  and  low  out  (t)  to  refer  to 
in[\ . .  ,n\(t) ,  in[(m  —  n)...m\(t),  out[l...n\(t),  and 

out[(m  —  n)...m](t),  respectively.  □ 

Following  Alpern  and  Schneider,  a  property  and  a 
system  are  both  trace  sets,  and  a  property  holds  for  a 
system  if  and  only  if  the  system  is  a  refinement  of  the 
property  [2].  Intuitively,  a  property  trace  set  consists 
of  those  traces  that  satisfy  the  property  and  a  system 
trace  set  consist  of  those  traces  that  the  system  can  ex¬ 
hibit.  Abadi  and  Lamport  add  to  this  framework  the 
concept  of  a  specification,  which  is  a  property  formed 
by  taking  the  union  of  the  set  of  traces  that  conform 
to  a  system’s  desired  behavior  and  the  set  of  traces 
that  contain  violations  of  a  system’s  input  restrictions 
[1].  The  latter  set  reflects  assumptions  about  the  envi¬ 
ronment  in  which  the  system  is  to  be  run.  The  former 
set  reflects  requirements  about  how  a  system  can  react 
when  placed  in  an  environment  that  satisfies  its  input 
restrictions.  A  program  satisfies  a  specification  if  the 
specification  holds  for  the  program. 

The  Alpern-Schneider  framework  is  very  appealing. 
The  conception  of  property  as  a  set  of  traces  has  the 
theoretical  consequence  of  making  every  property  the 
intersection  of  a  safety  property  and  a  liveness  prop¬ 
erty  [2],  and  the  conception  of  an  implementation  as 
refinement  seems  very  natural  given  the  fact,  noted 
above,  that  refinement  preserves  properties  of  traces. 
Further,  the  ability  to  specify  input  restrictions  makes 
it  unnecessary  to  reason  about  a  system’s  reaction  to 
an  environment  that  fails  to  satisfy  its  restrictions. 
This  is  in  contrast  to  the  assumption  of  input  totality 
usually  made  in  the  security  community,  for  example, 
in  [8,  19].  Finally,  the  Abadi-Lamport  Composition 
Principle  makes  it  possible  to  determine  from  compo¬ 
nent  specifications  whether  or  not  a  composite  com¬ 
prising  those  components  satisfies  its  specification. 

A  limitation  of  the  Alpern-Schneider  framework  is 
that  not  every  system  property  of  interest  is  a  property 
of  traces.  For  example,  Abadi  and  Lamport  note  that 
average  response  time  over  all  possible  executions  is 
not  a  property  of  traces.  They  do  not  seem  to  regard 
this  as  a  serious  limitation  of  the  Alpern-Schneider 
framework,  however,  since  there  is  a  trace  property 
that  approximates  it  (viz.,  average  response  time  over 
long  sequences  of  events  within  a  single  trace)  [1], 

However,  there  are  system  properties  for  which  it 
is  unclear  that  such  “nice”  trace-level  approximations 
exist.  For  example,  consider  a  multi-level  system  that 
takes  a  set  of  integers  as  input  ini  and  returns  some 
permutation  of  the  set  as  output  outi.  Confidentiality 
considerations  may  lead  to  the  requirement  that  the 
permutation  a  low-level  user  sees  cannot  be  affected 
by  high-level  input  (i.e. ,  any  legal  low-level  permu¬ 
tation  is  co-possible  with  any  legal  high-level  input). 
Integrity  considerations  may  lead  to  the  requirement 
that  the  permutation  that  a  high-level  user  sees  cannot 
be  affected  by  low-level  input  (i.e.,  any  legal  high-level 
permutation  is  co-possible  with  any  legal  low-level  in¬ 
put).  Availability  considerations  may  lead  to  the  re¬ 
quirement  that  if  a  system’s  high-level  response  time 
slows  down,  the  delay  cannot  have  been  caused  by  low- 
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level  behavior  (i.e,  any  legal  high-level  delay  must  be 
co-possible  with  any  legal  low-level  input). 

The  fact  that  possibilistic  properties  are  not  prop¬ 
erties  of  traces  follows  immediately  from  the  fact  that 
they  are  not  preserved  by  trace  subsetting  [12]. 2  For 
example,  consider  the  two  user  security  state  space,  X, 
and  the  confidentiality  property  P  that  any  legal  low- 
level  behavior  must  be  co-possible  with  all  legal  high- 
level  behaviors.  If  P  were  a  property  of  traces,  there 
would  be  a  set  a  consisting  of  those  traces  of  trace(S) 
that  satisfy  P  and  systems  would  satisfy  P  only  in  the 
sense  that  they  were  subsets  of  <7.  Since  a  system  a  1 
consisting  of  all  traces  trivially  satisfies  P ,  a  1  would  be 
a  subset  of  a.  However,  a  system  a 2  consisting  of  those 
traces  t  of  crl  in  which  high-level  input  highin(t)[i\  is 
echoed  as  low-level  output  lowout(t)[i  +  1]  does  not 
satisfy  P  and,  therefore,  would  not  be  a  subset  of 
<7.  Hence,  if  P  were  a  property  of  traces,  we  would 
be  faced  with  the  contradiction  that  crl  would  be  a 
subset  of  it,  yet  <72  would  not  be  a  subset  of  <7  even 
though  <72  C  crl.  Similar  arguments  apply  for  each  of 
the  properties  listed  above  since  each  requires  that  a 
system  must  exhibit  certain  behaviors  (not  in  the  live¬ 
ness  sense  of  saying  that  the  behavior  must  eventually 
happen,  but  in  the  possibilistic  sense  that  the  system 
could  have  done  otherwise). 

Nor  do  these  properties  seem  to  have  “nice”  trace- 
level  properties  that  approximate  them.  For  example, 
it  may  be  possible  to  form  a  trace-level  approxima¬ 
tion  by  borrowing  techniques  from  the  theory  of  Kol¬ 
mogorov  complexity  and  say  that  a  trace  is  secure  if 
knowledge  of  its  low-level  events  does  not  help  us  to 
determine  its  high-level  input  [7].  However,  such  an 
approach  would  clearly  sacrifice  the  relative  simplic¬ 
ity  possibilistic  security  models  enjoy  over  their  prob¬ 
abilistic  counterparts  [5,  10]. 

Although  the  fact  that  these  security  properties 
are  not  preserved  by  refinement  implies  the  fact  that 
these  properties  are  not  properties  of  traces,  the  two 
points  are  distinct  and  deserve  to  be  separated.  Re¬ 
turning  to  property  P,  the  former  point  shows  that 
functionally  correct  implementations  of  specifications 
that  satisfy  P  do  not  necessarily  preserve  P  3  The 
latter  point  is  more  fundamental.  It  shows  that  P 
is  not  definable  within  the  Alpern-Schneider  frame¬ 
work  to  begin  with.  Hence,  we  may  be  able  to  write 
specifications  that  satisfy  P,  but  we  cannot  reason 
about  them  or  their  composition  within  the  Alpern- 
Schneider  framework.  Nor  can  we  apply  composition 
principles,  such  as  Abadi  and  Lamport’s  [1],  that  are 
limited  to  Alpern-Schneider  properties. 

2  The  fact  that  many  confidentiality  properties  are  not  pre- 
served  by  the  standard  notion  of  refinement  has  been  noted  by 
McCullough  [8]  and  addressed,  to  some  extent,  in  [4],  [6],  [11], 
and  Section  3.2  of  this  paper.  The  fact  that  these  properties 
are  not  trace  sets  is  a  distinct  point,  first  pointed  out  to  me  by 
Jim  Gray,  although  Gray’s  original  argument  differs  from  the 
one  presented  here. 

3  This  is  not  simply  because  lower  level  implementation  detail 
may  introduce  new  channels,  but  because  elimination  of  possible 

system  output  may  turn  zero  capacity  channels  into  positive 
capacity  channels. 


2.2  Security  Models  and  Selective  Inter¬ 
leaving  Functions 

If  possibilistic  security  properties  are  not  properties  of 
traces,  i.e.,  trace  sets,  what  are  they?  The  answer  is 
that  they  are  properties  of  trace  sets,  i.e.,  sets  of  trace 
sets.  For  example,  consider  the  purge  function  that 
sets  all  high-level  input  and  output  in  a  trace  t  to  A, 
i.e.,  the  function  purge  :  irace(E)  —>■  frace(S),  such 
that 

purge(f)  =  (((\H  :  lowin(t)[  1]),  ( \H  :  lowout(t){  1])), 

(( \H  :  lowin(t)[ 2]),  ( \H  :  lowout(t)[ 2])),  ...). 

Noninference,  originally  due  to  O’Halloran  [16],  is  the 
property  that  is  satisfied  by  a  trace  set  <7  if  and  only 
if  <7  is  closed  under  purge.4 

For  deterministic  systems,  Noninference  is  equiva¬ 
lent  to  Goguen  and  Meseguer’s  Noninterference  [3]  if 
we  assume  that  high-level  output  cannot  be  generated 
when  there  is  no  high-level  input.  Hence,  for  determin¬ 
istic  systems  satisfying  this  assumption,  Noninference 
shares  Noninterference’s  property  of  being  practically 
perfect  [10].  Further,  Noninference  is  more  general 
than  Noninterference  in  that  the  latter  fails  to  be  di¬ 
rectly  applicable  to  nondeterministic  systems.  How¬ 
ever,  as  noted  in  [13],  Noninference  is  too  strong  for 
systems  in  which  high-level  output  can  exist  without 
high-level  input  and  too  weak,  in  general,  since  it  al¬ 
lows  low-level  output  to  be  influenced  by  the  insertion 
of  high-level  input. 

By  generalizing  the  notion  of  purge ,  we  obtain  a 
nondeterministic  formulation  of  Noninterference  that 
does  not  contain  the  assumption  that  high-level  out¬ 
put  can  be  generated  only  when  there  is  high-level 
input.  Say  that  /  :  trace(S)  — >■  trace(S)  is  an 
input  purge  if  and  only  if  f(s)  =  t  implies  that 
highinft )  =  (\H ,  \H ,  \H ,  ...),  lowinft )  =  lowin(s), 
and  low  out  (t)  =  lowout(s).  In  other  words,  a  func¬ 
tion  /  is  an  input  purge  if  it  sets  all  high-level  inputs 
to  A  and  does  not  alter  low-level  inputs  or  outputs. 
Two  input  purges  may  differ  in  what  they  assign  to 
high-level  outputs,  however.  For  example,  the  func¬ 
tion  purge  defined  above  is  the  input  purge  that  sets 
all  high-level  outputs  to  A,  but  there  are  other  input 
purges.  Say  that  a  system  satisfies  Generalized  Nonin¬ 
ference  if  and  only  if  the  system  is  closed  under  some 
input  purge. 

A  formulation  of  Noninterference  that  does  not 
employ  purge  functions  but,  instead,  a  more  gen¬ 
eral  concept  of  trace  interleaving  is  derivative  of 
Sutherland’s  notion  of  Deducibility  Security  [19]. 
Consider  the  function  interleave  :  irace(E)  x 

4 A  set  <T  is  closed  under  a  function  /  if  and  only  if  s  G  <r 
implies  that  /(s)  E  <r.  By  analogy,  we  shall  extend  the  notion 
to  multi- argument  functions.  For  example,  <r  is  closed  under 
/  :  <7  X  c  ->  <7  if  and  only  if  si  G  <7  and  s2  G  <7  implies  that 
/(si,  s2)  E  n. 


4 


SEPARABILITY 


trace(tl)  — *■  trace(tl)  such  that  interleave(tl,t2)  = 
t  implies  that  highin(t)  =  highin(tl),  lowin(t)  = 
lou>in(t2 ),  highoid(t)  =  highout(t  1),  and  lowout.(t)  = 
low  out  (t  2).  Say  that  a  system  satisfies  Separability 
if  and  only  if  it  is  closed  under  interleave .  Separa¬ 
bility  is  preferable  to  Sutherland’s  Deducibility  Se¬ 
curity,  which  requires  only  that  a  high-level  history 
can  be  inserted  somewhere  in  a  low-level  history, 
since  Deducibility  Security  is  extremely  weak  [13].  In 
fact,  in  many  ways  Separability  more  closely  resem¬ 
bles  Rushby’s  notion  of  a  Separation  Kernel  [18]  and 
Wittbold  and  Johnson’s  Nondeducibility  on  Strategies 
[17].  Separability  is  also  stronger  than  Noninference 
and  Generalized  Noninference.  In  fact,  its  combina¬ 
tion  of  strength  and  simplicity  make  it  close:  to  being 
an  ideal  security  property  for  nondeterministic  sys¬ 
tems,  although  it  is  limited  to  systems  where  low-level 
events  cannot  affect  high-level  events.5 6 

A  property  that  allows  low-level  events  to  influence 
high  level  events  can  be  obtained  by  generalizing  the 
function  interleave  in  the  same  way  that  the  class 
of  input  purges  generalizes  the  function  purge.  Say 
that  /  :  trace(Jl)  x  trace(Jl)  — *■  trace(Jl)  is  an  input 
interleaving  if  and  only  if  f(tl,t2)  =  t  implies  that 
highin(t)  =  highin(tl),  lowin(t)  =  lou>in(t 2),  and 
lowout(t)  =  low  out  (t  2).  Generalized  Noninterference, 
originally  due  to  McCullough  [8],  is  the  property  that 
a  system  possesses  if  it  is  closed  under  some  input 
interleaving.5 

What  all  of  these  security  properties  have  in  com¬ 
mon  is  that  each  is  a  closure  property  with  respect 
to  some  function  that  takes  two  traces  and  interleaves 
them  to  form  a  third  i  race.  This  observation  moti¬ 
vates  the  following  definition: 


Definition  2.3  (Selective 

Interleaving  Functions)  Let  S  be  the  state  space 
{((ini,  ••.,  inm),  (outi,  ...,  outn}}\  ini  G  Ii  A  outi  G  O,:}, 
let  i  G  {0,1,2}’",  and  let  j  G  {0,1,2}".  A  func¬ 
tion  /  :  trace  (T,)  x  trace  (T,)  — *■  trace (T,)  is  a  se¬ 
lective  interleaving  function  of  type  Fij  if  and  only 
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that  {[*]  =  2  :  ouf[a;](f)  =  ouf[a;](f2). 


□ 


Intuitively,  a  selective  interleaving  function  of  type 
Fi  j  takes  its  two  argument  traces  and  forms  a  new 
trace  that  agrees  with  the  first  argument  trace  with 
respect  to  input  (output)  channels  such  that  *[#]  ({[*]) 
is  equal  to  1  and  with  the  second  argument  trace  with 

5  This  limitation  is  not  as  stringent  as  it  may  first  appear 
since  high-level  users  can  be  allowed  to  read  low-level  input 
and  output  channels.  However,  it  prevents  a  system,  e.g.,  from 
recording  low-level  events  in  an  audit  file  that  is  to  be  sent  out 
on  a  high-level  channel. 

6  This  version  of  Generalized  Noninterference  is  weaker  than 
McCullough’s  by  not  requiring  that  high-level  output  can  be 
altered  only  at  a  point  after  which  high-level  input  has  been 
altered.  However,  this  difference  does  not  affect  any  of  the  com¬ 
position  results  that  follow,  and  it  simplifies  the  presentation. 
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Figure  1:  Partial  Ordering  of  Possibilist.ic  Security 
Models, 


respect  to  input  (output)  channels  such  that  *[#]  (_/[#]) 
is  equal  to  2.  Distinct  selective  interleaving  functions 
of  type  Fi  j  differ  on  what  they  assign  to  input  chan¬ 
nels  such  that  *[#]  =  0  and  output  channels  such  that 
j[x]  =  0.  Hence,  given  i  and  j  such  that  for  no  x  does 
i[x]  =  0  or  _/[#]  =  0,  F{  j  contains  exactly  one  member. 

For  example,  Separability’s  function  interleave 
is  the  single  selective  interleaving  function  of  type 

F(ih:2l),(ih:2l)  '■  trace(Jl)  x  trace(Jl)  — *■  trace(Jl), 
and  Noninference’s  purge  is  the  one  argument 
function  one  obtains  by  restricting  Separability’s 
interleave  to  the  domain  {((\H+L ,  \H+L) ,  x 
trace(Jl).  Generalized  Noninterference’s  input  in¬ 
terleavings  are  the  class  of  selective  interleaving 
functions  of  type  :  trace(Jl)  x 

trace(Jl)  — *■  trace(Jl),  and  Generalized  Noninfer¬ 
ence’s  input  purges  are  Generalized  Noninterfer¬ 
ence’s  input  interleavings  restricted  to  the  domain 
{((\H+L  ,  \H+L),  ...)}  x  traceCS). 

From  this  it  is  clear  that  for  any  system  that 
contains  ((\H+L  ,  \H+L),  ...),  Separability  is  strictly 
stronger  than  Noninference  and  Generalized  Noninter¬ 
ference  is  strictly  stronger  than  Generalized  Noninfer¬ 
ence.  Further,  since  any  selective  interleaving  function 
of  type  F^iH.nLj^iH.nL)  is  also  of  type  F^H.^Lp^n.^Lp 
we  see  that  Separability  is  strictly  stronger  than 
Generalized  Noninterference  and  that  Noninference 
is  strictly  stronger  than  Generalized  Noninference. 
Hence,  Separability  is  the  strongest  of  our  properties, 
and  Generalized  Noninference  is  the  weakest.  General¬ 
ized  Noninterference  and  Noninference  fall  in  between 
these  two,  but  are  not  comparable  with  each  other. 
(See  Figure  1  .) 

It  is  obvious  that  closure  under  a  class  of  selec¬ 
tive  interleaving  functions  is  not  generally  preserved 
by  refinement.  However,  we  shall  see  some  conditions 
under  which  it  is  preserved  in  Section  3.2.  It  is  also  ob¬ 
vious  that  every  system  is  closed  under  the  selective 
interleaving  function  of  type  and  the 

selective  interleaving  function  of  type  F}2 ,...,2),(2,...,2) 
and  that  given  a  trace  space  S,  only  the  trace  sets  {} 
and  trace (T,)  are  closed  under  all  selective  interleaving 
functions  of  type  F) o , . . . , o } ,  { o , , . ,  o }  •  The  following  theo¬ 
rems  are  also  worth  noting.  The  first  shows  that  if 
a  trace  set  is  closed  under  one  selective  interleaving 
function,  then  it  is  closed  under,  at  least,  one  other. 
The  second  shows  that  the  identity  system,  I,  is  closed 
under  a  variety  of  selective  interleaving  functions. 
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Theorem  2.4  Given  s  =  (si,...,sn)  E  {0,1,2}",  let 
s'  denote  (si',  ...,  sn')  where  O'  =  0,  1'  =  2,  and 
2'  =  1.  Given  any  state  space  S  and  any  trace  set 
a  C  trace (£),  if  a  is  closed  under  some  selective  inter¬ 
leaving  function  /  of  type  F}j  then  it  is  closed  under 
some  selective  interleaving  function  /'  of  type  Fh,j'. 

Proof:  For  all  x  such  that  *[#]  =  0:  let 

in(f'(sl,  s2))[,c]  =  in(f(s2,  si ) ) [.x-]  and  for  all  x 

such  that  {[*]  =  0:  let  out(f'(sl,  s2))[,c]  = 

out(f(s2,  si ))[#].  Note  that  /'(sl,s2)  =  f(s2,sl). 
Hence  /'  is  obviously  a  selective  interleaving  function 
of  type  Fi'  ji.  Since  a  is  closed  under  /,  it  is  also  closed 
under  /' .  □ 

Theorem  2.5  (Identity  Theorem)  For  each  x  E 
{1,2},  the  identity  system,  I,  is  closed  under  the  se¬ 
lective  interleaving  function  of  type  Fy^yy  It  is  also 
closed  under,  at  least,  one  selective  interleaving  func¬ 
tion  of  type  o) ,  at  least,  one  selective  interleaving 
function  of  type  F) o),(.r) ,  and  at  least,  two  selective  in¬ 
terleaving  functions  of  type  F}0),( o)  • 

Proof:  The  case  for  F^y^y  is  obvious.  For  a  se¬ 
lective  interleaving  function  /  of  type  F^y^  or  of 
type  F) o),(.r),  consider  the  selective  interleaving  func¬ 
tion  f(si,so)  =  sx.  For  a  selective  interleaving  func¬ 
tion  of  type  F) o),(o) ,  consider  the  selective  interleaving 
function  / 1  such  that  /1(sl,  s2)  =  si  and  the  selective 
interleaving  function  / 2  such  that  /2(sl,s2)  =  s2.  □ 


3  System  Composition 

In  this  section  we  consider  the  composition  of  systems. 
We  first  consider  external  composition  constructs,  i.e. 
constructs  used  to  compose  a  network  of  systems  from 
individual  systems.  We  then  consider  internal  compo¬ 
sition  constructs,  i.e.,  constructs  used  to  compose  and 
refine  policies  within  one  system. 

3.1  External  Composition  Constructs 

In  this  section  we  define  three  external  composition 
constructs:  product,  cascade,  and  feedback.  We  ex¬ 
amine  the  extent  to  which  a  system’s  closure  prop¬ 
erties  with  respect  to  classes  of  selective  interleaving 
functions  are  preserved  by  each  construct  and  show 
that  product  and  feedback  arg.’sufEcient  for  perform¬ 
ing  general  composition.'.  Our  reason  for  separating 
cascade  from  feedback  is  to  examine  the  behavior  of 
confidentiality  properties  under  different  composition 
constructs.  Feedback  is  not  always  necessary,  and  as 
we  shall  see  in  Section  {,  it  should  be  avoided  whenever 
possible.  Hence,  it  is  useful  to  know  how  confidential¬ 
ity  properties  behave  in  compositions  win  r<  feedback 

'  This  has  also  been  noted  by  Millen,  who  attributes  it  to 
Rushby,  although  Milieu’s  construction  differs  from  ours  [15] 
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Figure  2:  Product  of  <rl  and  <r2 


is  not  used. 


3.1.1  Product 

We  begin  by  considering  the  product  of  two  systems, 
i.e.,  the  composition  where  two  systems  <rl  C  SI  and 
<r2  C  S2  are  simply  regarded  as  a  single  system  a  C  £. 
(See  Figure  2  .) 

Definition  3.1  (Product) 

Let  SI  and  S2  be  any  two  state  spaces  of  the  form 
{((ini,...,  *«]},  (out\,  ...,  out}.))  |  in}  E  1}  A  out }  E  O}} 
and  {((iny  •••,  (outL  •••,  ouil))\  ini  &  if  ^  out?  E 
O?},  respectively.  Given  any  two  trace  sets  <rl  C  SI 
and  c 2  C  S2,  <rl  x  <r2  is  the  trace  set 

a  =  {s\  (3sl  E  <rl)(3s2  E  <t2) 

(m[l...j](s)  =  in(sl)  A 

in[(j  +  1  )...(j  +  m)]{s)  =  in(s2)  A 

out [1. ..&](«)  =  ou.t(sl)  A 

out[(k  +  l)...(k  +  n)](s)  =  out(s2)}. 

o  is  called  the  product  of  ol  and  <r2.  □ 

Theorem  3.2  (Composition  Theorem  for  Prod¬ 
ucts)  Let  o  =  ol  x  o2.  Then  ol  is  closed  under  some 
selective  interleaving  function  /1of  type  F{1j1  and  cr2 
is  closed  under  some  selective  interleaving  function  / 2 
of  type  Fi2  j2  if  and  only  if  o  is  closed  under  some 
selective  interleaving  function  /  of  type:  Fyi:iy  ^i:jy  . 

Proof:  For  any  s  E  o  and  t  E  o,  let  sa \  be  that 
part  of  s  that  is  in  ol  and  sa2  be  that  part  of  s  that 
is  in  <t2,  and  let  ta i  be  that  part  of  t  that  is  in  ol  and 
ta 2  be  that  part  of  t  that  is  in  <r2.  Going  from  left  to 
right  assume  /'(m.Li)  =  «i  and  /2(sct2G< 72)  =  «2- 
We  can  then  let 


f(s,t)  =  (((m(ui)[l]  :  m(u2)[l]), 

(out(ui )[1]  :  out{u2)[  1]}}, 

((in(ui  )[2]  :  in{  u2)[ 2]), 

(oui(ui )[2]  :  out{u2)[ 2])),  ...), 

and  we  are  done.  Going  from  right  to  left,  assume 
s  E  ol  and  t  E  ol.  Pick  some  arbitrary  trace  r  E  o2, 
and  let 
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Figure  3:  Cascade  of  crl  and  cr'2 


u  =  (((m(s)[l]  :  m(r)[l]}, 

(oui(s)[l]  :  oui(r)[l]}}, 

((m(s)[2]  :  m(r)[2]}, 

(oui(s)[2]  :  out ( ?’ )  [2] } } ,  ...}, 

and 

v  =  (((m(f)[l]  :  m(r)[l]}, 

(out{t)[l]  :  out{r)[l])) , 

((m(C[2]  :  m(r)[2]}, 

{out(t)[2]  :  out ( r ) [2] } } ,  ...}. 

Letting  w  =  f(u,  v),  we  can  then  let 

(hi [1 . . . j] ( w ) [2] ,  out [1 . ,.k]{ iv ) [2]} ,  . . .} . 

The  proof  for  s  £  cr'2  and  t  £  o2  is  analogous,  and  we 
are  done.  □ 

Corollary  3.3  Let  cr  be  closed  under  some  selective 
interleaving  function  of  type  Fij,  and  let  x  £  {0,  1,  2} 
and  y  £  {0,  1,  2}  be  such  that  either  x  =  0,  y  =  0  or 

x  =  y.  Then  cr  x  I  is  closed  under,  at  least,  one  se¬ 
lective  interleaving  function  of  type  ?; : { ) } ,  { y : { ;y } )  ,  and 

lx  <7  is  closed  under,  at  least,  one  selective  interleaving 
function  if  type  F^.^j^j) .  □ 

Proof:  Use  the  Identity  Theorem  with  the  Com¬ 
position  Theorem  for  Products.  □ 


3.1.2  Cascade 

A  more  interesting  type  of  system  composition  is  cas¬ 
cading.  (See;  Figure  3  .)  Cascades  are  formed  by  tak¬ 
ing  two  systems  crl  and  cr 2  and  passing  cl’s  output 
as  input  to  a 2.  Although  we  assume  that  cl’s  output 
meets  any  environment  restrictions  assumed  by  cr2’s 
input,  i.e . ,  that  cl’s  output  is  acceptable  input  for 
<t2,  this  assumption  is  used  only  in  Corollary  3.7.  Its 
purpose  is  to  guarantee  that  if  we  the  place  the  cas¬ 
cade  of  crl  and  a 2  into  an  environment  that  satisfies 
the  input  restrictions  of  crl,  the  resulting  system  will 
be  well-behaved. 

Definition  3.4  (Cascade)  Let  SI  and  S2  be  state 
spaces  of  the  form 


Figure  4:,  Using  I  and  the  cascade  construction  to  form 
a  general  cascade  of  crl  and  cr2 


{((ini,  ink),  (outi,  ...,  outm)}\  in-i  £  1}  Aouti  £  Oj } 
and  {((ini,  •••,  in.m),  (out\,  ...,  outn))\  in-i  £  if  A  ouii  G 
Of},  respectively,  such  that  Of  C  if.  Given  two 
trace  sets  crl  C  SI  and  cr2  C  S2  where  for  every 
trace  si  £  crl  i  In-re  is  a  trace  s2  £  cr2  such  that 
out(sl)  =  in(s 2),  cr  =  crl  o  cr2  is  the  trace  set 

cr  =  {s|  (3sl  £  crl)(3s2  £  cr2)(in(s)  =  in(sl)  A 

out(sl)  =  in(s 2)  A  out(s2)  =  out(s)}. 

a  is  called  the  cascade  of  crl  and  cr2.  □ 

Our  definition  of  cascade  assumes  that  crl  has  the 
same  number  of  output  channels  as  cr2  has  input  chan¬ 
nels  with  all  of  crl ’s  output  going  into  cr2  as  input 
and  all  of  cr2’s  input  coming  from  crl.  However,  this 
assumption  is  not  necessary.  We  can  use  the  Com¬ 
position  Theorem  for  Products  to  append  the  identity 
system,  I,  to  crl  so  that  the  environment  can  provide 
input  to  cr2  (via  I)  and  to  append  cr2  to  I  so  that  crl 
can  provide  output  to  the  environment  (also  via  I). 
We  call  (crl  x  I)  o  (I  x  cr2)  the  general  cascade  of  crl 
and  cr2.  (See  Figure  f  .)  By  Corollary  3.3  if  crl  o  cr2 
is  closed  under  some  selective  interleaving  function  of 
type  Fi  j  then  the  general  cascade  of  crl  and  cr2  is 
closed  under  an  analogous  selective  interleaving  func¬ 
tion,  unless  i  =  (1,  ...,  1)  and  j  =  (2,...,  2)  or  vice 
versa. 

Theorem  3.5  (Composition  Theorem  for  Cas¬ 
cades)  Consider  any  two  trace  sets  crl  and  cr2  as 
described  in  Definition  3.4,  closed  under  selective  in¬ 
terleaving  functions  f1  of  type  F{1j1  and  f2  of  type 
Fi2  j2  respectively.  For  any  trace  a  £  cr,  let  aai  be 
a  trace  in  crl  and  aa 2  be  a  trace  in  cr2  such  that 
in(a)  =  in(aai),  out(aa  1)  =  in(aa2),  and  out(aa2)  = 
out(a).  (Note- that  aai  and  aa 2  exist  by  the  defini¬ 
tion  of  cascade.)  Assume  that  for  every  s  and  t.  in  cr, 
/1(sCT i,tai)  =  «i  implies  that  there  is  a  trace  un  G  cr2 
such  that  (1)  out(ui)  =  111(112)  and  (2)  for  all  x  such 
that  j2[*]  ^  0  :  out[x](uo)  =  oirt[x](f2(sa2,P j2)). 
Then  the  function  /,  such  that  in(f(s,t))  =  in(ui) 
and  out(f(s,t))  =  outf  im),  is  a  selective  interleaving 
function  of  type  Filtj2  and  cr  is  closed  under  /. 

Proof:  For  any  s  and  t.  in  cr,  let  sa  1,  ta  1, 

to2,  «i,  u2,  and  /  be  as  described  in  the  statement  of 
the  theorem.  Also,  let  v  be  that  sequence  such  that 
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in(v)  =  «i  and  out(v)  =  M2.  Since  by  the  assump¬ 
tions  of  the  theorem  out(u  1)  =  in(u2),  we  know  that 
v  G  cr.  Hence,  <7  is  closed  under  /.  We  shall  show  that 
/  is  a  selective  interleaving  function  of  type  Filtj2. 
To  this  end,  note  that  for  all  x  such  that  i i[x]  =  1: 
in[x](v)  =  m[a;](Mi)  =  in[x\(sa  1)  =  m[a;](s)  and  that 
for  all  x  such  that  i i[x]  =  2:  in[x](v)  =  m[a:](Mi)  = 
in[x\(ta  1)  =  in[x\(t).  Similarly,  note  that  for  all  x  such 
that  j '2[x]  =  1:  out[x](v)  =  out[x\(u2)  =  out[x](sa2)  = 
’  s)  and  that  for  all  x  such  that  j 2[x]  =  2: 
11)  =  out[x](u2)  =  out[x\(ta  2)  =  out[x](t). 


out 
out 

Hence,  /  meets  all  the  conditions  necessary  to  be  a 
selective  interleaving  function  of  type  Filtj2,  and  we 


are  done. 


□ 


As  an  application  of  the  Composition  Theorem  for 
Cascades,  consider  two  systems  crl  C  trace(S)  and 
<t2  C  trace(S)  such  that 


crl  =  {s|  lowout(s)  =  lowin(s)  A 

(i)(highout(s)[i\  =  highin(s)[i\  +  /ou;m(s)[i])} 


it 2  =  {s|  lowout(s)  =  lowin(s)  A 

(i)(highout(s)[i\  =  highin(s)[i\  x  /ou;m(s)[i])}. 

Note  that  crl  is  closed  under  / 1  of  type  1 , 2 ) , { 0 , 2 ) 

where 


/1(s,t)[i]  =  {{highin(s)[i],  lowin(t)[i]) , 

( highin(s)[i\  +  lowin(t)[i\,  lowout(t)[i]}) 

and  cr 2  is  closed  under  /2  of  type  1 , 2 ) , { 0 , 2 )  where 

/2(s,t)[i]  =  {{highin(s)[i\,  lowin(t)[i\) , 

(highin(s)[i\  x  lowin(t)[i\,  lowout(t)[i]}) . 

Hence,  both  crl  and  cr2  satisfy  Generalized  Noninter¬ 
ference.  By  the  Composition  Theorem  for  Cascades, 
cr  is  closed  under  /  of  type  1 , 2 ) , { 0 , 2 ) ,  where 


f(s,t)[i]  =  ((highin(s)[i\,  lowin(t)[i]} , 

(( highin(s)[i\  +  lowin(t)[i])  x  lowin(t)[i\, 
lowout(t)[i]}) . 

Hence,  cr  satisfies  Generalized  Noninterference  as  well. 

Although  the  Composition  Theorem  for  Cascades  is 
very  general,  it  is  sometimes  difficult  to  apply  since  its 
application  depends  upon  knowledge  of  system  func¬ 
tionality  to  determine  whether  M2  exists  in  cr2.  A  sim¬ 
pler  tool,  which  depends  solely  on  the  types  of  the 
relevant  selective  interleaving  functions,  is  the  follow¬ 
ing: 


Corollary  3.6  Let  cr,  crl,  cr2,  f1,  f2,  Fil:jl,  and  Fi2j2 
be  as  described  in  the  Composition  Theorem  for  Cas¬ 
cades.  Given  any  s  and  t  in  cr,  let  sCTi,  sa 2,  Gi,  G2, 
and  Mi  also  be  as  described  in  that  theorem.  If  for 
all  1  <  x  <  m:  ji[x]  =  i 2[x]  7!  0,  then  there  is  a  se¬ 
lective  interleaving  function  /  of  type  Filtj2  such  that 
in(f(s,t))  =  in(ui),  out(f(.s,t))  =  out{f2{sa2 ,  ta2)), 
and  cr  is  closed  under  /.  □ 

Proof:  Note  that  the  restrictions  on  j\  and  T2  im¬ 
ply  that  f2{sa2,ta2)  meets  the  conditions  on  M2  re¬ 
quired  by  the  Composition  Theorem  for  Cascades.  □ 

As  an  application  of  Corollary  3.6,  consider  any 
trace  sets  cr  C  trace(S)  and  cr2  C  trace(S)  such  that 
cr  =  crl  o  cr2  is  defined.  Our  corollary  tells  us  the 
following  facts: 

•  If  crl  and  cr2  satisfy  Separability,  then  so  does  cr. 

•  If  crl  and  cr2  satisfy  Noninference,  then  so  does  cr. 

•  If  one  of  {crl,cr2}  satisfies  Noninference  and  the 
other  satisfies  Separability,  then  cr  satisfies  Non¬ 
inference  if  {{XH+L ,  XH+L) ,  ...)  G  cr. 

•  If  crl  satisfies  Separability  and  cr2  satisfies  Gen¬ 
eralized  Noninterference,  then  cr  satisfies  Gener¬ 
alized  Noninterference. 

•  If  crl  satisfies  Noninference  and  cr2  satisfies  Gener¬ 
alized  Noninference,  then  cr  satisfies  Generalized 
Noninference. 

•  If  crl  satisfies  Separability  and  cr2  satisfies  Gener¬ 
alized  Noninference,  then  cr  satisfies  Generalized 
Noninference  if  {{XH+L ,  XH+L) ,  ...)  G  cr. 

Corollary  3.6  requires  that  f1  and  /2  must  agree 
and  be  fully  specified  with  respect  to  interface  chan¬ 
nels,  i.e. ,  that  for  all  x  :  i2[x\  =  ji[x]  7^  0.8  As 
a  consequence,  although  the  corollary  tells  us  about 
compositions  where  crl  satisfies  Separability  or  Nonin¬ 
ference,  it  tells  us  nothing  about  compositions  where 
crl  satisfies  Generalized  Noninference  or  Generalized 
Noninterference.  For  such  compositions  we  need  the 
following: 

Corollary  3.7  Let  cr,  crl,  cr2,  f1,  f2,  Fiujl,  and  Fi2j2 
be  as  described  in  the  Composition  Theorem  for  Cas¬ 
cades  and  assume  that  for  no  x  does  i 2[x]  =  0.  If 
either 

(1)  ((l<i<raA  ji[x]  7^  *2  [a?] )  — >■  C[x\  =  1)  A 

(1  <  x  <  n  — >■  j2[x]  7!  1) 

or 

(2)  ((1  <  x  <  m  A  ji[x\  7^  /’2M)  — ►  h[%\  —  2)  A 

(1  <  x  <  n  j2[x\  ±  2), 

8  Although  by  Theorem  2. 4,  the  corollary  also  applies  to  cases 
where  i2[x]  =  j\'[x\.  A  similar  observation  applies  to  all  our 
theorems  and  corollaries. 
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then  there  is  a  selective  interleaving  function  /  of  type 
Fi1  j2,  such  that  c  is  closed  under  /.  □ 

Proof:  For  any  s  and  t  in  c,  let  s, 7i,  s, To,  ta\,  tao, 
and  u i  be  as  in  the  proof  of  the  Composition  The¬ 
orem  for  Cascades.  Note  that  although  «i  satisfies 
the  conditions  necessary  for  it  to  serve  as  the  input 
part,  of  f(s,t),  this  case  differs  from  the  case  of  the 
Corollary  3.6  in  that  we  cannot  use  /2(s, To,tao)  as 
the  output  part  of  the  trace  since  we  cannot  guar¬ 
antee  that  ou.t(ui)  =  in(f2(s, j2 i ^<t2 ) ) -  However,  by 
the  interface  requirement  in  the  definition  of  cascade 
we  know  that  there  is  some  trace  u*  £  c2  such  that 
out. ( u. i )  =  in(u*).  Assume  condition  (1)  of  the  theo¬ 
rem  holds  and  let  uo  =  f2(u*,tt To).  Note  that  for  all 
1  <  x  <  in  :  if  *2  [a?]  =  1  then  =  in [#](«*)  = 

owt[a;](wi)  by  construction  of  it*,  and  if  *2 =  2 
then  in[a;](w2)  =  in[x](ta2)  =  owt[a;](wi)  by  the  re¬ 
lationship  between  t.a  1  and  t.a 2.  Also,  note  that  for 
all  1  <  x  <  n  such  that  j[,c]  =  2  :  owt[a;](w2)  = 

oiit[x](ta2)  =  owt[a;](t).  Since  jo  has  no  l’s,  uo  fulfills 
all  the  conditions  required  by  the  Composition  Theo¬ 
rem  for  Cascades.  Condition  (2)  follows  by  an  anal¬ 
ogous  argument  where  uo  =  f2(sa2,n*),  and  we  are 
done.  □ 

As  an  application  of  our  new  corollary  consider  any 
trace  sets  c  C  trace (X)  and  c2  C  trace (X)  such  that 
c  =  crl  o  <7 2  is  defined.  Our  theorem  tells  us  the  fol¬ 
lowing  new  facts: 

•  If  cl  and  c2  satisfy  Generalized  Noninterference, 
then  so  does  c. 

•  If  cl  and  c2  satisfy  Generalized  Noninfef fence, 
then  so  does  c. 

•  If  one  of  {cl,c2}  satisfies  Generalized  Noninfer¬ 
ence  and  the  other  satisfies  Generalized  Noninter¬ 
ference,  then  c  satisfies  Generalized  Noninference 
if  ((XH+L  ,XH+L),  ...)  £  c. 

These  two  facts  support  the  following,  rather  interest¬ 
ing,  observation  about,  cascades:  a.  possiblist.ic  security 
property  seems  to  be  preserved  by  being  cascaded  with 
itself  or  with  any  property  that  is  stronger  than  it. . 


3.1.3  Feedback 

Another  type  of  composition  consists  of  a.  system  cl 
serving  as  a.  front,  end  to  a.  system  c2  or,  equivalently, 
c2  serving  as  a.  back  end  to  cl.  The  essential  element, 
of  this  connection  is  that  c2  provides  feedback  to  cl. 
(See  Figure  5  . )  In  this  case  when  a.  user  provides  input, 
to  cl  (for  example,  at  time  1  according  to  the  user’s 
and  cl’s  local  clocks),  the  output,  generated  by  this 
input,  is  taken  as  input,  by  c2  (also  at  time  1  by  c2’s 
local  clock).  This  input,  to  c2  generates  output,  which 
is  read  as  new  input,  by  cl  (at  time  1  of  c2’s  local 
clock,  but.  now  time  2  of  cl’s  local  clock).  The  user 
then  receives  from  cl  the  output,  that  is  generated  in 


Figure  5:  c  as  the  Feedback  of  cl  and  c2 


response  to  the  input,  from  c2  (at  time  2  of  cl’s  local 
clock,  but.  still  time  1  of  the  user’s  local  clock).  The 
user  then  provides  the  next,  input,  to  cl  (time  2  by  t.hfe 
user’s  clock,  but.  now  time  3  by  cl’s  local  clock).  The 
process  continues  with  the  user  providing  cl  with  its 
odd  inputs  at  cl  local  time  t  (where  t  is  odd)  and  user 
local  time  (r+l)/2  and  receiving  cl’s  even  outputs  at 
cl  local  time  t  (where  t  is  even)  and  user  local  1  imfei 
t / 2.  In  the  meantime,  cl  sends  its  odd  outputs  to  c2 
at  cl  local  time  t  (where  t  is  odd)  and  c2  local  time 
(r  +  l)/2  and  receives  its  even  inputs  from  c2  at  cl 
local  time  t  (where  t  is  even)  and  c2  local  time  r/2. 

As  in  cascading,  we  assume  that  cl’s  (odd)  output, 
meets  any  environment,  restrictions  assumed  by  c2’s 
input..  We  also  assume  that  the  output,  of  those  traces 
of  c2  that,  take  input,  from  cl  meet,  any  environment, 
restrictions  assumed  by  cl’s  (even)  input..  Although 
these  assumptions  are  not.  necessary  for  the  proofs  pre¬ 
sented  in  this  section,  they  will  reappear  in  Section  j 
when  we  discuss  the  possibility  of  a.  feedback  analogue 
for  Corollary  3.7.  As  in  the  definition  of  cascade,  their 
purpose  is  to  guarantee  that  the  feedback  of  cl  and 
c2  will  be  well-behaved  if  placed  in  an  environment, 
that  satisfies  cl’s  (odd)  input,  restrictions. 

To  formalize  these  interface  assumptions,  we  can¬ 
not.  simply  require  that  for  every  si  £  cl  there  is  a. 
trace  s2  £  c2  such  that  for  all  odd  r  :  ot/i(sl)[r]  = 
m(s2)[(r  +  l)/2]  and  for  all  even  t  :  m(sl)[r]  = 
owf(s2)[r/2]  since,  in  general,  such  a.  requirement,  is 
too  strong.  For  example,  although  it.  is  reasonable 
to  require  that  for  every  trace:  si  £  cl  there  is  some 
trace  s2  £  c2  such  that  ot/i(sl)[l]  =  in(s2)[l]  and  t.o 
require  that  there  is  some  trace  si*  £  cl  such  that, 
si* [1]  =  si [1]  A  in(sl*)[2]  =  out(s2)  1],  we  cannot, 
guarantee  that  si*  =  si  since  in(sl)[2]  may  not.  be  a. 
possible  output,  for  c2.  Wha.t.  we  need  to  say  is  that 
if  two  traces  si  £  cl  and  s2  £  c2  have  interfaced 
correctly  up  to  c2  local  time  r,  then  each  trace  has  a. 
“continuation”  that  will  interface  correctly  at  c2  local 
time  t. 

Definition  3.8  (Interface  Condition  for  Feed¬ 
back)  Let.  SI  and  S2  be  state  spaces  of  the  form 
{((ini,  in„),  (outi,  ...,  oidm)}\  in-i  £  1}  Aouti  £  Oj } 

and  {((ini,  •••,  inm),  (outi,  ...,  outn}}\  ini  G  if  A  outi  G 
Of},  respectively,  such  that  for  all  1  <  i  <  m  : 
Of  C  if  and  for  all  1  <  i  <  n  :  Of  C  if.  For 
any  trace  si  £  cl  C  trace(H  1)  and  s2  £  c2  C 
trace(H 2)  let.  the  relation  downconnectj  1,  si,  s2) 
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ot/i(sl)[l]  =  m(s2)[l].  For  all  r  >  0  :  let  the  rela¬ 
tion  upconnect(r,  si,  s2)  (downconnect(r,  si,  s2)  A 
ot/i(s2)[r]  =  in(sl)[2r]),  and  for  all  t  >  1  :  let, 
the  relation  downconnect(r,  si,  s2)  (upconnect(r— 
l,sl,s2)  A  in(s2)[r]  =  ot/i(sl)[2r  —  1]).  We  say  that 
crl  and  a'2  meet  the  interface  requirem  ents  for  feedback 
if  and  only  if 

•  (si  G  <rl)(3s2  G  a2)downconnect(  1,  si,  s2), 

•  (r  >  l)(sl  G  <rl)(s2  G  cr2)(3s*  G  crl) 

(downconnectfr,  si,  s2)  — *■ 

(s*  [l...(2r  —  1)]  =  sl[l...(2r  —  1)]  A 
upconnect(r,  s* ,  s2))), 


•  (r  >  l)(sl  G  crl)(s2  G  <t2)(3s*  G  <t2) 

( upconnectfr ,  si,  s2)  — *■ 
downconnectfr  +  1,  si,  s*)). 

□ 

Definition  3.9  (Feedback)  Let  crl  and  a 2  be  as  de¬ 
scribed  in  Definition  3.8  so  that  they  meet  the  inter¬ 
face  condition  for  feedback,  cr  =  crl  — -  cr2  is  the  trace 
set 


(7  =  {s|  (3sl  G  Sl)(3s2  G  52) 

(in(s)[r]  =  m(sl)[2r  —  1]  A 
ot/i(s)[r]  =  owt(sl)[2r]  A 
in(s2)[r]  =  ot/i(sl)[2r  —  1]  A 
ot/i(s2)[r]  =  m(sl)[2r])}. 

it  is  called  the  feedback  of  crl  and  cr2.  □ 

As  in  cascading,  although  we  assume  that  the  in¬ 
terface  channels  of  crl  and  cr2  can  be  placed  in  one- 
to-one  correspondence,  this  assumption  is  not  nec¬ 
essary.  Using  I  and  the  feedback  construction,  one 
can  form  a  general  hook-up.  (See  figure  6.)  We  call 
(ul  x  I)  — -  (I  x  cr2)  the  general  composition  of  crl 
and  cr2.  As  in  the  case  of  general  cascades,  the  gen¬ 
eral  composition  of  crl  and  cr2  preserves  all  interesting 
closure  properties  that  are  preserved  by  crl  — -  cr2. 

Our  composition  theorem  for  feedback  considers  the 
case  where  crl  and  cr2  are  intimately  connected. 

Theorem  3.10  (Composition 

Theorem  for  Feedback)  Let  cr,  crl  and  cr2  be  as 
described  in  Definition  3.9,  and  for  any  trace  o-  G  cr, 
let  cta i  be  a  trace  in  crl  such  that  for  all  t  :  *n(o-)[r]  = 
in(aai  )[2r  —  1]  A  ot/i(Q-)[r]  =  ot/i(o'<7i)[2r],  and  let  aa'> 
be  a  trace  in  cr2  such  that  for  all  t  :  in{aa2)[^\  = 

out(aai  )[2t  —  1]  A  o«<(«ff2)H  =  *n(o'<7i)[2'r].  (Note 
that  cta i  and  aa'>  exist  by  the  definition  of  feedback.) 


Figure  6:  psing  I  and  the  Feedback  Construction  to 
form  a  General  Hook-up 


Assume  that  crl  is  closed  under  some  selective  inter¬ 
leaving  function  f1  of  type  Fi1j1.  If  for  every  trace 
■s  and  t  in  cr,  /1(s<7 i,pi)  =  «i  implies  that  there  is 
a  trace  uo  G  cr2  such  that  for  all  t  :  *n(u2)[u]  = 
out(ui)[2r  —  1]  and  ot/i(t(2)[r]  =  *n(«i)[2r],  then  cr  is 
closed  under  some  selective  interleaving  function  /  of 
type  Fi1j1  such  that 


f(s,t)  =  {{in(ui ) [1] ,  ot/i(«i)[2]), 

(*n,(«i  )[3],  ot/i(«i)[4]), 

{m{  ui  )[5],  ot/i(wi)[6]), ...). 

Proof:  For  any  traces  s  and  t  in  cr,  let  sai ,  s<j2,  Pi, 
ta 2,  and  «i  be  as  in  the  theorem.  Note  that  for  all  x 
such  that  =  1  :  *«.[#]( s)[r]  =  *»7. [a;] ( )[2r  —  1]  = 
in  x  («i)[2r—  1]  and  that  for  all  x  such  that  =  2  : 

in  x  (t)[r]  =  in  [a;]  (pi  )[2r  —  1]  =  in[a;](wi)[2r  —  1]. 
Also  note  that  for  all  x  such  that  ji[.c]  =  1  : 

owi[a:](s)[r]  =  owi[a;](s<7i  )[2r]  =  owi[a:](wi)[2r  and 
that,  for  all  x  such  that,  ji[.c]  =  2  :  owi[a:](p[r]  = 
owi[a;](pi)[2r]  =  owi[a;](wi)[2r].  Hence,  /  as  defined 
in  the  theorem  is  a,  selective  interleaving  function  of 
type  Fi 1)j1.  All  that,  is  left,  is  to  show  that,  f(s,t)  G  cr. 
To  do  this  we  must,  show  that,  there  is  a,  trace  u 2  G  cr2 
that,  correctly  interfaces  with  u \.  However,  the  exis¬ 
tence  of  uo  is  guaranteed  by  the  assumptions  of  our 
theorem,  and  we  are  done.  □ 

As  an  example  of  the  Composition  Theorem  for 
Feedback ,  consider  the  system  cr  C  traces(Jl)  such 
that,  low  out  i  =  lowin-i  and  for  any  high-level  in¬ 
put,,  highouti  randomly  ranges  over  every  value  in 
its  domain.  In  other  words,  cr  echoes  low-level  in¬ 
put,  and  produces  random  high-level  output,  given  any 
high-level  input,,  cr  satisfies  Generalized  Noninterfer¬ 
ence.  By  the  First  Composition  Theorem  for  Feedback, 
cr  — ’  cr  does  as  well. 

As  in  the  case  of  the  Composition  Th  eorem  for  Cas¬ 
cades,  the  Composition  Theorem  for  Feedback  is  gen¬ 
eral,  but,  hard  to  apply  since  it,  requires  knowledge  of 
system  functionality  to  determine  whether  u 2  exists  in 
cr2.  The  following  corollary  provides  a,  simpler  tool: 

Corollary  3.11  Let,  cr,  crl,  cr2,  f1,  and  ip j1  be  as 
described  in  the  Composition  Theorem  for  Feedback, 
and  given  any  s  and  t  in  cr,  let,  s, 7i,  sa 3,  pi,  P2,  and 
ui  also  be  as  described  in  that  theorem.  Assume  that, 
cr2  is  closed  under  a,  selective  interleaving  function  f2 
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of  type  Fi2  j2 .  If  i\  =  j2 ,  i2  =  j \ ,  and  there  is  no  *  such 
that  ii[;c]  =  0  or  *2 [a;]  =  0,  then  there  is  a  selective 
interleaving  function  /  of  type  Fi1j1,  such  that  cr  is 
closed  under  /  and 


f(s,t)  =  ((m(«i)[l],  out(ui)[2]) , 

(m(wi)[3],  out(ui)[A\), 

(m(wi)[5],  out(ui)[6]},  ...}. 

□ 

Proof:  The  corollary  follows  from  the  Composition 
Theorem  for  Feedback  if  we  can  show  that  there  is  some 
u2  £  cr2  that  interfaces  correctly  with  u\.  To  see  that 
there  is  such  a  trace  in  a 2,  consider  u2  =  f2(sa2,ta2). 
Since  ii  =  j 2  and  i2  =  j\ ,  the  fact  that  neither  ii  nor  i2 
contain  any  0’s  implies  that  u2  satishes  the  conditions 
required  by  the  Composition  Theorem  for  Feedback, 
and  we  are  done.  □ 

Consider  any  trace  sets  cr  C  frace(E)  and  cr 2  C 
frace(E)  such  that  cr  =  crl  cr2  is  defined.  The 
following  facts  are  consequences  of  our  corollary: 

•  If  crl  and  cr 2  satisfy  Separability  then  so  does  cr. 

•  If  crl  and  cr2  satisfy  Noninference,  then  so  does  cr. 

•  If  one  of  {it1,(t2}  satishes  Separability  and  the 
other  satishes  Noninference,  then  cr  satishes  Non¬ 
inference  if  {{XH+L  ,  XH+L),  ...)  E  cr. 

Note  that  Corollary  3.11  for  feedback  is  the  ana¬ 
logue  of  Corollary  3.6  for  cascade.  There  is  no  feed¬ 
back  analogue  of  Corollary  3.  7.  We  shall  examine  the 
reason  for  this  in  Section  /. 

3.2  Internal  Composition  Constructs 

We  now  consider  three  elementary  types  of  internal 
composition:  crl  U  cr 2,  crl  fl  cr 2,  and  crl  —  a2.  The  set 
consisting  of  these  three  composition  constructions, 
which  we  shall  call  the  set  of  regular  composition  con¬ 
structions,  is  analogous  to  the  set  of  constructions  de¬ 
fined  for  access  control  policies  in  [9].  The  hrst  con¬ 
struction  corresponds  to  a  system  that  accepts  any 
input  acceptable  to  crl  or  cr2  and  behaves  as  the  rele¬ 
vant  system  would  behave.  If  the  input  is  acceptable 
to  both  systems,  then  output  could  be  the  output  of 
either  system.  The  second  construction  accepts  as  in¬ 
put  only  input  that  is  acceptable  to  both  systems  and 
gives  as  output  only  output  that  both  systems  could 
generate.  The  final  construction  accepts  as  input  only 
input  <r2  would  not  accept.  Since  the  latter  two  con¬ 
structions  can  obviously  be  used  to  refine  a  property, 
their  composition  properties  also  tell  us  about  secure 
refinements.  In  general,  the  conditions  for  preserving 
closure  properties  with  such  constructs  are  very  re¬ 
strictive.  We  shall  gain  some  insight  into  why  this  is 
the  case  in  the  next  section. 


Theorem  3.12  (Composition  Theorem  for  Set 
Union)  Assume  that  for  some  state  space  E,  trace 
sets  crl  C  E  and  cr2  C  E  are  closed  under  selective 
interleaving  functions  f1  of  type  F{1j1  and  f2  of  type 
Fi2j2,  respectively,  such  that  for  all  x  :  i i[x]  yt  i2[x]  —>■ 
i2[x]  =  0  and  ji[x]  yt  j2[x]  —>■  j 2[x\  =  0.  Also  assume 
that  for  each  pair  of  traces  si  G  crl  and  s2  G  cr2  there 
is  (1)  either  a  trace  t  G  crl  such  that  for  all  x  such 
that  ii[*]  =  2:  in[x](t)  =  m[*](s2)  and  for  all  *  such 
that  ji[*]  =  2:  out[x](t)  =  out[x](s 2)  or  a  trace  t  G  cr2 
such  that  for  all  *  such  that  *2 [*]  =  1:  in[x\(t)  = 
m[*](sl)  and  for  all  *  such  that  j2[x]  =  1:  out[x](t)  = 
o«f[*](sl)  and  (2)  either  a  trace  t  E  crl  such  that  for 
all  *  such  that  ii[*]  =  1:  in[x](t)  =  m[*](s 2)  and  for 
all  *  such  that  ii[*]  =  1:  out[x](t)  =  om/|*](s2)  or  a 
trace  t  E  cr 2  such  that  for  all  *  such  that  *2  [*t  =  2: 
m[*](U  =  in[*](sl)  and  for  all  *  such  that  jif*]  =  2: 
out[x)(t)  =  o«f[*](sl).  Then  crl  U  cr2  is  closed  under 
some  selective  interleaving  function  /  of  type  Fi2j2. 

Proof:  We  shall  define  a  value  of  /(si,  s2)  for  each 
si  and  s 2  in  crl  U  cr2.  If  si  and  and  s 2  are  both  in  crl, 
then  /(si,  s2)  =  /1(sl,  s2).  If  si  and  and  s2  are  both 
in  cr2  —  crl,  then  /(si,  s2)  =  /2(sl,  s2).  If  si  E  crl  and 
s2  G  cr2,  then  note  that  by  the  Hrst  assumption  in  the 
theorem  there  is  either  a  trace  t  E  crl  such  that  for 
all  *  such  that  ii[*]  =  2:  in[x](t)  =  in[x](s 2)  and  for 
all  *  such  that  ii[*]  =  2:  out[x](t)  =  om/|*](s2)  or  a 
trace  t  E  cr 2  such  that  for  all  *  such  that  i2[x\  =  1: 
in[x\(t)  =  in[x  (si)  and  for  all  *  such  that  j2 [*]  =  1: 
out[x](t)  =  out  *](sl).  Assume  that  the  first  possibil¬ 
ity  is  the  case.  Then  let  /(sl,s2)  =  /1(sl,t).  If  the 
first  possibility  does  not  hold,  then  the  second  possi¬ 
bility  must  hold  and  we  can  let  /(sl,s2)  =  /2(t,s2). 
Since  by  the  assumptions  on  i  1 ,  j  1 ,  i2 ,  and  j 2  any  func¬ 
tion  of  type  Fi1j1  is  also  of  type  Fi2j2,  f  as  defined 
is  of  type  Fi2j2.  If  si  G  cr2  and  s 2  G  crl  then  an  anal¬ 
ogous  argument  applies  using  the  second  assumption 
of  the  theorem,  and  we  are  done.  □ 

Theorem  3.13  (Composition  Theorem  for  Set 
Intersection)  Assume  that  for  some  state  space  £, 
trace  sets  crl  C  E  and  cr2  C  E  are  closed  under  selec¬ 
tive  interleaving  functions  f1  of  type  F{1j1  and  /2  of 
type  Fi2j2,  respectively,  such  that  for  all  *  :  i i[x]  yt 
i 2[x\  —>■  i 2[x]  =  0  and  ji[x]  yt  j2[x]  —>■  j2[x]  =  0.  If  for 
all  si  G  crl  fl  cr2  and  s2  G  crl  fl  cr2:  /1(sl,s2)  G  cr2 
or  /2(sl,  s2)  G  crl,  then  cr  =  crl  fl  cr2  is  closed  under 
some  selective  interleaving  function  /  of  type  Fi2j2. 

Proof:  As  in  the  proof  of  the  Composition  Theo¬ 
rem  for  Set  Union  any  function  of  type  Fi1j1  is  also 
of  type  Fi2j2.  Consider  any  si  and  s 2  in  crl  fl  cr2. 
By  assumption  /2(sl,s2)  E  cr2.  If  /2(sl,s2)  E  crl  as 
well,  then  we  can  simply  let  /(sl,s2)  =  /2(sl,s2). 
Otherwise,  we  know  that  /1(sl,  s2)  G  crl  0  cr2  by  the 
assumptions  of  the  theorem.  In  this  case  we  can  let 
/(sl,s2)  =  /1(sl,s2),  and  we  are  done.  □ 

Theorem  3.14  (Composition  Theorem  for  Set 
Subtraction)  Assume  trace  sets  crl  and  cr2  such  that 
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<rl  is  closed  under  some  selective  interleaving  function 
/  of  type  Fi  j.  Assume  also  that  for  each  trace  s  £ 
a  1  fl  <t2  such  that  there  are  traces  si  £  crl  —  cr 2  and 
s2  £  crl  —  <t2  where  /(sl,s2)  =  s,  there  is  a  trace 
s*  £  cl  —  <t2  such  that  for  all  x  such  that  i  M  i1  0: 
m [«](«*)  =  m [«](«),  and  for  all  x  such  that  j[x]  ^ 
0:  out[x](s*)  =  ot/t[*](s).  Then  there  is  a  selective 
interleaving  function  /*  of  type  Fij  such  that  crl  —  cr  2 
is  closed  under  /*  . 

Proof:  We  can  let  f*  =  /  for  all  arguments 
(sl,s2)  except  for  the  case  where  si  £  crl  —  <t2 
and  s 2  £  crl  —  cr 2,  but  /(sl,s2)  £  cl  fl  c2,  i.e. , 
cl  —  c2  contains  si  and  s2,  but  not  /(sl,s2).  How¬ 
ever,  by  assumption  we  know  that  in  this  case  there 
is  a  trace  s*  £  cl  —  c2  such  that  for  all  x  such  that 
i[x]  yt  0:  m[a:](s*)  =  in[x](f(sl,  s2)),  and  for  all  x 
such  that  j[x\  yl  0:  out[x](s*)  =  out[x]((f(sl,  s2)). 
Let  /*(sl,s2)  =  s* ,  and  we  are  done.  □ 

Corollary  3.15  (Secure  Refinement)  Let  trace 
set  c  be  closed  under  selective  interleaving  function 
/  of  type  Fi  j  and  let  cr*  be  a  refinement  of  c.  Then 
cr*  is  closed  under  a  selective  interleaving  function  f* 
of  type  Fi  j  if  either  (1)  there  is  some  c  such  that 
cr*  =  c  fl  c,  and  c  and  c  meet  the  condition  stated  in 
Theorem  3.13  for  cl  and  c2,  respectively,  or  (2)  c  and 
c  —  c*  meet  the  conditions  stated  in  Theorem  3.14  for 
cl  and  c2,  respectively.  □ 

Proof:  Condition  (1)  follows  directly  from  Theo¬ 
rem  3.13.  Condition  (2)  follows  from  Theorem  3.14 
since  c*  C  c  implies  that  a  —  (a  —  a*)  =  a* .  □ 


4  Discussion 


Although  we  have  considered  only  2-level  security  poli¬ 
cies,  it  should  be  noted  that  2-argument  selective  in¬ 
terleaving  functions  can  capture  multi-level  policies  as 
well.  For  example,  a  3-level  Separability  policy  on 
a  state  space  where  level  i  is  assigned  input  chan¬ 
nel  irii  and  output  channel  outi  is  the  requirement 
that  a  trace  set  be  closed  under  selective  interleav¬ 
ing  functions  of  type  F) i)2, 2), {1,2, 2)?  ^<2, 1,2), <2, 1,2),  and 

F(  2, 2,1), (2,2,1)- 

One  benefit  of  our  approach  is  the  new  results  it 
has  generated.  We  have  seen  several  theorems  about 
selective  interleavings  and  about  the  composability  of 
closure  properties  with  respect  to  selective  interleav¬ 
ings,  which  we  have  applied  to  several  security  prop¬ 
erties.  This  has  given  us  new  facts  about  the  relation¬ 
ships  among  these  properties  and  about  their  com¬ 
posability  with  each  other  and  with  themselves.  One 
observation  we  have  made  is  that  a  property  seems  to 
be  preserved  by  being  cascaded  with  itself  or  with  a 
stronger  property.  Another  is  that  Separability  seems 
to  be  just  as  composable  as  both  Noninference,  which 
is  less  secure  than  Separability,  and  Restrictiveness, 
which  is  more  complicated  than  Separability.  We  have 


also  shown  that  even  for  systems  not  suitable  for  Sepa¬ 
rability  (i.e.,  systems  where  low-level  users  affect  high- 
level  output),  we  do  not  have  to  resort  to  Restrictive¬ 
ness  if  we  limit  ourselves  to  certain  the  composition 
constructs  of  product  and  cascade. 

Another  benefit  is  that  our  approach  sheds  new 
light  on  familiar  results.  For  example,  although  Mc¬ 
Cullough  showed  that  Generalized  Noninterference  is 
not  preserved  when  a  system  a  is  composed  by  gen¬ 
eral  composition  from  component  systems  crl  and  cr2, 
his  example  gives  no  indication  whether  the  problem 
with  general  composition  is  the  fact  that  crl  provides 
input  to  cr2,  the  fact  that  cr2  provides  feedback  to  crl, 
or  the  fact  that  cr2  can  provide  direct  output  to  the 
environment.  (His  example  does  not  require  that  the 
environment  provide  direct  input  to  <t2).  Given  our 
results  about  cascaded  systems,  we  can  see  that  feed¬ 
back  is  the  culprit. 

To  understand  why,  consider  McCullough’s  exam¬ 
ple  in  more  detail.  To  construct  cr,  McCullough  con¬ 
sidered  a  system  crl  which  receives  arbitrary  high-level 
input  and  responds  with  a  high-level  output  for  each 
input.  It  may  also  receive  a  low-level  input  of  cancel, 
to  which  it  will  eventually  respond  by  sending  a  low- 
level  output  of  cancel.  If  when  the  low-level  output 
is  sent  the  number  of  high-level  inputs  is  equal  to 
the  number  of  high-level  outputs,  the  low-level  out¬ 
put  nothing -to -cancel  may  be  sent  as  well  (but  it  does 
not  have  to  be).  System  cr2  is  the  same  as  crl  but  a 
low-level  output  of  cancel  is  not  sent.  If  when  the  low- 
level  input  is  received  the  number  of  high-level  inputs 
is  equal  to  the  number  of  high-level  outputs,  the  low- 
level  output  nothing  —  to  —  cancel  may  be  sent  as  well 
(but  it  does  not  have  to  be).  The  system  a  is  composed 
from  crl  and  cr2  by  sending  cl’s  high-level  output  and 
low-level  output  of  cancel  to  c2  as  input  and  sending 
c2’s  high-level  output  to  cl  as  input.  System  c2  can 
receive  no  input  from  the  user.  The  output  of  c  is  the 
Cartesian  product  of  the  low-level  outputs  of  cl  and 
c2. 

The  problem  with  c  is  that  there  is  no  corollary 
of  the  Composition  Theorem  for  Feedback  that  corre¬ 
sponds  to  Corollary  3. 1  of  the  Composition  Theorem 
for  Cascade.  The  conditions  a  trace  must  meet  to  be 
in  c  are  too  strong  to  support  such  a  corollary  since 
they  require,  not  only  that  the  output  of  some  trace 
in  cl  be  acceptable  as  input  to  some  trace  in  c2  (a 
condition  also  required  by  cascade),  but  also  that  the 
output  of  the  latter  trace  be  acceptable  as  input  to  the 
former.  This  second  requirement  severely  cuts  back  on 
the  number  of  traces  a  system  composed  via  feedback 
can  exhibit.  Given  any  two  legal  traces  s  and  t,  pos- 
sibilistic  security  properties  require  the  existence  of  a 
third  trace  f(s,t)  that  combines  the  first  two.  Hence, 
it  is  understandable  why  not  many  such  properties 
are  preserved  by  constructions  that  make  it  hard  for 
f(s,  t)  to  exist.9 


9This  also  explains  why  security  does  not  do  well  under  in- 
ternal  composition.  The  union  construct  tends  to  increase  the 
number  of  legal  traces  s  and  t  more  quickly  than  it  increases 
the  number  of  traces  f(s,  t),  and  both  the  intersection  and  set 
difference  constructions  decrease  the  number  of  traces 
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It  might  seem  that  we  could  prove  the  necessary 
corollary  by  applying  the  Interface  Condition  for  Feed¬ 
back  and  the  same  trick  used  to  prove  Corollary  3.7. 
For  example,  let  a,  cl,  c2,  f1,  f2,  Fi1  and  Fi2 j2  be 
as  described  in  the  Corollary  3.11,  and  given  any  s  and 
t  in  c,  let  s<ji,  sa 2,  ta  1,  and  ta 2  also  be  as  described 
in  that  corollary  with  u\  =  f1  (sCTi ,  ta\).  Assume  that 
for  no  x  does  i 2  [a:]  =  0  and  that  the  Hrst  condition  of 
Corollary  3.  7  holds,  i.e. , 

((1  <  x  <  m  A  ji[x]  7^  *2 [a?] )  — >■  C[x\  =  1)  A 
(1  <  x  <  n  — >■  j2[x]  ±  1). 

Now,  even  if  i2  7^  j  1,  we  know  that  there  is  a 
trace  v*  £  c2  such  that  m(v*)[l]  =  o«t(«i)[l]. 
Hence,  we  could  let  iq  be  f2(v*  ,ta 2)  and  know 
that  m(i>i)[l]  =  OMt(«i)[l].  However,  to  know  that 
m(«i)[2]  =  OMt(r>i)[l],  we  would  have  to  assume  that 
for  all  1  <  y  <  n  :  ii[y\  =  j 2 [ J/]  =  2.  This  would 
yield  the  result  that  c  is  closed  under  a  selective  inter¬ 
leaving  function  of  type  T(2,...,2),{2,...,2);  but  this  result 
trivially  holds  for  all  trace  sets.  Another  approach 
would  be  to  construct  a  trace  in  cl  from  u\  to  in¬ 
terface  with  Vi.  Assuming  that  i  1,  j 2,  and  j\  meet 
the  same  conditions  as  i2,  j  1,  and  j2,  respectively,  we 
could  use  the  fact  that  there  is  some  trace  w*  £  cl 
such  that  u>*[l]  =  «i[l]  and  in(w*)[ 2]  =  oi/t(i>i)[l]  to 
form  w\  =  /1(w*,«i)  to  interface  with  v2.  We  could 
continue  in  this  fashion  constructing  two  sequence  of 
traces  tq  and  wq  that  interface  with  each  other  at  times 
1,  i.  This  would  prove: 

(1)  ( i)(3w  £  cl)(3i>  £  a2)(x) 

(1  <  x  <  i  —>■ 

(in(v)[x]  =  out(w)[2x  —  1]  A 
out(v)[x]  =  in(w)[2x])). 

However,  to  show  that  c  is  closed  under  a  selective 
interleaving  function  of  the  form  Fi1j1 ,  we  would  have 
to  prove: 

(2)  (3 w  £  cl)(3i>  £  c2)(i) 

(in(v)[i\  =  out(w)[2i  —  1]  A 
out(v)[i ]  =  in(w)[2i])). 

The  Hrst  statement  says  that  for  every  time  i  we  can 
find  two  traces  that  interface  correctly  together  up 
through  i.  The  second  statement  says  that  we  can  find 
two  traces  that  interface  together  correctly  at  every 
time  i.  Although  the  second  implies  the  first,  the  first 
does  not  imply  the  second. 

Returning  to  the  McCullough  example,  note  that 
there  is  a  large  set  of  traces  in  both  crl  and  <t2  that 
accept  high-level  input  and  produce  nothing  —  to  — 
cancel.  Further,  for  any  time  i,  there  is  a  pair  of  traces 
si  £  crl  and  s2  £  <t2,  each  containing  both  high-level 
input  and  nothing  —  to  —  cancel,  such  that  si  and  s2 
interface  correctly  through  i.  However,  none  of  these 
trace  pairs  interface  correctly  for  all  times  i.  Hence,  a 
high-level  input  to  <7  rules  out  an  otherwise  acceptable 
low-level  output  of  ( nothing  —  to  —  cancel,  nothing  — 
to  —  cancel) . 


From  an  information-theoretic  viewpoint,  the  feed¬ 
back  might  simply  be  exacerbating  a  high-to-low  chan¬ 
nel  that  is  already  present  in  the  two  component  sys¬ 
tems  since  it  is  possible  that  a  Trojan  Horse  can 
use  <7  1  or  <t2  to  pass  information  by  altering  the 
probability  that  a  low-level  user  will  see  the  output 
nothing  —  to  —  cancel.  For  example,  assume  that  (1) 
if  there  is  nothing  to  cancel,  then  the  system  under 
consideration  gives  the  output  nothing  —  to  —  cancel 
50%  of  the  time,  (2)  the  Trojan  Horse  can  block  high- 
level  input  from  the  user,  and  (3)  the  Trojan  Horse 
can  submit  high-level  inputs  at  such  a  rate  that  there 
is  a  nonzero  probability  that  the  system  will  still  be 
processing  high-level  inputs  when  the  cancel  output 
is  given  (in  the  case  of  crl )  or  when  the  cancel  input 
is  received  (in  the  case  of  <7 2).  A  Trojan  Horse  can 
send  a  1  to  the  low-level  user  by  flooding  the  system 
with  high-level  inputs,  thereby  lowering  the  probabil¬ 
ity  that  nothing  —  to  —  cancel  will  appear  as  low-level 
output  to  under  50%,  and  it  can  send  a  0  to  the  low- 
level  user  by  blocking  all  high-level  inputs,  thereby  as¬ 
suring  that  the  probability  that  nothing  —  to  —  cancel 
will  appear  as  low-level  output  is  50%. 

However,  the  feedback  might  also  be  creating  a 
channel  where  none  existed  before.  Since  the  Trojan 
Horse  can  transmit  information  only  if  we  assume  that 
it  can  lower  the  probability  that  nothing  —  to  —  cancel 
will  appear  as  low-level  output,  we  can  effectively  shut 
down  the  Trojan  Horse  in  each  component  by  speed¬ 
ing  up  the  component’s  speed  relative  to  the  Trojan 
Horse’s  (i.e.,  so  the  component  can  process  the  Trojan 
Horse’s  high  level  inputs  and  send  them  on  their  way 
as  high-level  outputs  faster  than  the  Trojan  Horse  can 
produce  them).  If  we  can  make  each  component  very 
fast  relative  to  the  Trojan  Horse,  there  will  never  be 
any  high-level  input  that  will  be  cancelled.  In  such  a 
system,  nothing  —  to  —  cancel  will  appear  as  low-level 
output  50%  of  the  time,  independently  of  what  the 
Trojan  Horse  does. 

However,  although  each  component  system  may 
have  a  high-to-low  capacity  of  0,  cr  still  has  a  posi¬ 
tive  capacity.  If  the  Trojan  Horse  blocks  all  high-level 
input,  each  component  system  has  a  50%  chance  of 
producing  nothing  —  to  —  cancel  and  there  is  a  25% 
chance  that  both  components  will  produce  nothing  — 
to  —  cancel.  However,  if  the  Trojan  Horse  floods  the 
system,  there  is  a  0%  chance  of  both  systems  produc¬ 
ing  nothing  — to  — cancel.10  Hence,  we  have  connected 
two  systems  with  0  high-to-low  capacity  to  form  a 
composite  system  with  positive  high-to-low  capacity. 
For  example,  assume  that  we  have  no  control  over 
which  system  will  be  performing  high-level  process¬ 
ing  at  the  time  high-level  processing  is  killed.  In  this 
case  the  composite  system’s  low-level  output  when  the 
Trojan  Horse  blocks  high-level  input  will  be  (A,  A)  25% 
of  the  time,  (( nothing  —  to  —  cancel),  X)  25%  of  the 
time,  (A,  ( nothing  —  to  —  cancel))  25%  of  the  time, 


10I  am  assuming  that  communication  between  <rl  and  a 2  is 
instantaneous  so  that  there  is  no  chance  of  the  high-level  input 
being  “between”  systems  when  high-level  processing  stops.  Mc¬ 
Cullough  must  make  the  same  assumption  for  a  to  fail  to  satisfy 
Generalized  Noninterference. 
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and  (( nothing  —  to  —  cancel),  ( nothing  —  to  —  cancel )) 
25%  of  the  time.  When  the  Trojan  Horse  submits  a 
high-level  input,  low-level  output  will  be  (A,  A)  50% 
of  the  time,  (( nothing  —  to  —  cancel),  X)  25%  of  the 
time,  (A,  ( nothing  —  to  —  cancel))  25%  of  the  time, 
and  (( nothing  —  to  —  cancel),  ( nothing  —  to  —  cancel)) 
0%  of  the  time.  The  resulting  channel  has  a  capacity 
of  about  .17  bits  per  symbol.  In  fact,  even  if  we  limit 
ourselves  to  looking  at  a  single  low-level  channel  (e.g., 
the  output  from  al  or  the  output  from  a 2),  there  is 
a  high-to-low  channel  of  positive  capacity  in  the  com¬ 
posed  system. 

5  Conclusion 


We  have  constructed  a  general  framework  for  speci¬ 
fying  and  reasoning  about  compositions  of  a  class  of 
properties  that  fall  outside  of  the  safety /liveness  do¬ 
main  of  [2],  and  we  have  shown  the  framework’s  appli¬ 
cability  to  possibilistic  security  properties.  The  frame¬ 
work  we  have  developed  has  allowed  us  to  partially 
order  several  possibilistic  security  properties  and  to 
examine  their  composability.  We  have  seen  that  prop¬ 
erties  do  quite  well  when  composed  with  themselves  or 
with  stronger  properties  via  the  product  and  cascade 
construction.  However,  survival  under  feedback  and 
internal  constructions  (including  refinement)  is  con¬ 
tingent  upon  particulars  of  system  functionality.  We 
have  looked  at  the  reason  for  this. 

Along  the  way  we  have  presented  a  new  model,  Sep¬ 
arability,  and  we  have  shown  that  if  we  can  live  with 
its  limitation  that  it  can  be  applied  only  to  systems 
where  low-level  events  cannot  affect  high-level  events, 
it  provides  a  composable  formulation  of  secrecy  that 
is  simpler  than,  yet  just  as  secure  as,  Restrictiveness 
and  more  secure,  though  no  more  complicated  than, 
Noninference. 

The  framework  and  theorems  presented  in  this  pa¬ 
per  form  the  building  blocks  of  a  general  theory  of 
system  properties  and  their  composition,  one  of  whose 
applications  is  security.  The  framework  has  the  advan¬ 
tage  that  it  fits  in  well  with  other  computer  science 
modeling  frameworks,  e.g.,  [2]  and  with  frameworks 
for  modeling  probabilistic  systems,  e.g.,  [5].  This  al¬ 
lows  us  to  bring  in  results  from  general  computer  sci¬ 
ence  and  extend  our  results  to  probabilistic  models  in 
the  future.  By  jettisoning  the  requirement  of  input 
totality,  our  framework  allows  us  to  use  assumptions 
about  system  environments  to  simplify  the  analysis  of 
embedded  systems. 
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